UK's £650m cyber security strategy 'failing SMEs'

The UK government's flagship £650 million National Cyber Security Programme has been accused by some of its private sector partners with lacking co-ordination and failing SMEs in the battle against the cyber threat.

The four-year programme, launched in Nov. 2011, started more than 40 initiatives last year, with around three-quarters of the £260 million spend going to the government's GCHQ spy surveillance centre and other intelligence and defence agencies.

This year, the programme has involved more government organisations than the core players of GCHQ and CPNI (the Centre for the Protection of National Infrastructure) – including BIS, UK Trade & Investment, the Foreign Office, OCSIA and even the Territorial Army. But this has produced a backlash from the private sector companies increasingly being enrolled to help deliver the programme.

“There are too many people involved and there isn't a great deal of co-ordination," said one private-sector source, who did not wish to be named.

Departments such as BIS, UK Trade & Investment, the Foreign Office and OCSIA are talking to the private sector about cyber security and they don't all have the specialist knowledge to know the best advice they should be giving. I think it's confusing to companies, the source said.

“Already companies are having to try and have a GCHQ relationship and a CPNI relationship – because the co-ordination between the two of them isn't perfect by a long chalk," the source said. He believes it's tough enough for big companies with many relationships with government. "It is even tougher though for small companies who do not have the contacts in the right parts of government to get help.”

David Garfield, managing director of cyber security at BAE Systems Detica, which helped pilot the programme's latest cyber incident response scheme, said: “It is a complex domain and has necessarily involved lots of different partners across government to try and be involved in that response. Because it is big and complex, I think there is a challenge in co-ordinating and making that coherent. I think what we're seeing is becoming increasingly coherent and there is more co-ordination going on.”

Meanwhile, Etay Maor, fraud prevention manager at IBM-owned cyber crime prevention specialist Trusteer, criticises the lack of information-sharing that private-sector cyber specialists are getting from their government partners. He provides information, he said, but rarely hears back from the government. "A lot of people feel it is a one-way street.”

Other experts voice concerns about the government's failure to help SMEs prevent cyber attacks and data breaches.

For example, Steve Durbin, global vice president of the nonprofit Information Security Forum – whose members include the government's own Cabinet Office, said he'd like to see an increased focus on the need for resilience and raising awareness on providing guidance for small businesses.

“I'm thinking in particular about issues around storage of data, whether that be in the cloud, for instance, or on personal devices. Both of those are exceptionally attractive to the small to medium enterprise because of the cost, and yet they also have inherent issues from the security standpoint that I'm not sure all business leaders are aware of. So we need a lot more effort to raise the level of awareness in that space.”

Other experts see some gains while expressing concern for priorities. Mark Sparshott, EMEA channels director at security-as-a-service provider Proofpoint, said: “it is encouraging to see a government that appears to understand the scale of the challenge our nation faces. However it is disappointing to see more emphasis on investment in investigating and accurately recording the number of incidences of cyber crime rather than providing practical advice to businesses and individuals on how to implement security best practice.

“The best-practice knowledge and technologies to combat the vast majority of cyber crime exist today. However the awareness within consumers and business (particularly small and medium businesses) is distinctly lacking, and so this is one area of ‘prevention' that all governments need to focus more time and investment on."

One planned 2013 government initiative will provide targeted cyber threat information and advice for SMEs, but this has not yet materialised.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.